Sign SSH keys¶
Use authorized key signature¶
Storing authorized key’ signature along with the authorized key, let theo-agent to verify it before returning it to sshd. This will guarantee you that no one in any case will be able to inject unsolicited authorized keys and consequently get access to your server.
Setup¶
First, you need to create private/public keys, we’ll use openssl
openssl genrsa 4096 | openssl pkcs8 -topk8 -v2 aes-256-cbc -out private.pem
It will prompt you to insert a pass phrase, memorize it!
now we need to extract the public key (we will use it with theo-agent to verify the signatures)
openssl rsa -in private.pem -pubout -out public.pem
It will ask you the pass phrase to unlock the private key.
Configure¶
To enable signing, you could set 2 variables: THEO_PRIVATE_KEY and THEO_PRIVATE_KEY_PASSPHRASE.
You can do it in 2 ways:
- Adding them as environment variables while executing theo.
- Adding them to the config file (the first file found will be used):
$PWD/.env
$HOME/.theo/env
/etc/theo/env
THEO_PRIVATE_KEY must point to your private key (use full path). THEO_PRIVATE_KEY_PASSPHRASE is the pass phrase to unlock the private key.
Since theo-cli 0.9.0 it’s possible to pass private key path and passphrase as arguments.
--certificate, -c Path to private key [string]
--passphrase, -p passphrase for private key [string]
--passphrase-stdin, -i read passphrase for private key from stdin [boolean]
Usage¶
When adding a new authorized key to a user, to let theo signs the SSH public key add the –sign flag
theo keys add john.doe@example.com \
--sign \
--key "ssh-rsa AAAAB3NzaC1yc2E[...]7xUw== john.doe@laptop"
theo keys add john.doe@example.com \
--passphrase-stdin \
--sign \
--key "ssh-rsa AAAAB3NzaC1yc2E[...]7xUw== john.doe@laptop"
theo keys add john.doe@example.com \
--passphrase your-passphrase \
--sign \
--key "ssh-rsa AAAAB3NzaC1yc2E[...]7xUw== john.doe@laptop"
theo keys add john.doe@example.com \
--passphrase-stdin \
--certificate $HOME/private/theo-private.pem
--sign \
--key "ssh-rsa AAAAB3NzaC1yc2E[...]7xUw== john.doe@laptop"
theo keys add john.doe@example.com \
--passphrase your-passphrase \
--certificate $HOME/private/theo-private.pem
--sign \
--key "ssh-rsa AAAAB3NzaC1yc2E[...]7xUw== john.doe@laptop"
Since theo-cli 0.10.0, if you prefer to get the signature yourself (using OpenSSH or other tool) you can pass it to theo with the –signature argument
theo keys add john.doe@example.com \
--key "ssh-rsa AAAAB3NzaC1yc2E[...]7xUw== john.doe@laptop" \
--signature "81db52ca9a0d6d2[...]31a62663c0ce0a38c24cd7"